Skip to content

Page264

Introduction

Security assessment and testing are critical components of any information security program. Organizations must accurately assess their real-world security, focus on the most critical components, and make necessary changes to improve.

In this domain, we will discuss two major components of assessment and testing: security control testing (including vulnerability assessment, penetration testing, and security audits) and collecting and analyzing security process data (to determine how effective the security controls are).

Note that there is overlap between this domain and Chapter 9, Domain 8: Software Development Security, especially regarding application testing. We will discuss concepts such as ethical disclosure and code review in Chapter 9.

Security Control Testing

Several processes exist to assess the effectiveness of security controls. Tests with a narrower scope include penetration tests, vulnerability assessments, and security audits. A security assessment is a broader test that may include narrower tests, such as penetration tests, as subsections.

Internal, External, Employee, and Third-Party Testing

The terms “internal” and “external” can be ambiguous. Does “external” refer to where the test is launched (such as a penetration test launched from the Internet), or does it refer to the role of the penetration tester (third-party or employee)? NIST SP 800-115 makes it clear:

  • Internal Security Testing: Security testing conducted from inside the organization’s security perimeter
  • External Security Testing: Security testing conducted from outside the organization’s security perimeter[1]

That gives a total of four types of testing: internal/employee, external/employee, internal/third-party, and external/third-party.

Penetration Testing

A penetration tester is an ethical hacker who receives authorization to attempt to break into an organization’s physical or electronic perimeter (and sometimes both). Penetration tests (called “pen tests” for short) are designed to determine whether unethical hackers could do the same. They are a narrow, but often useful, test, especially if the penetration tester is successful.

Penetration tests may include the following tests:

  • Network (Internet)
  • Network (internal or DMZ)
  • War dialing
  • Wireless
  • Physical (attempt to gain entrance into a facility or room)

Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks. See Chapter 4, Domain 3: Security Architecture and Engineering, for more information on these attacks. War dialing uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone (the penetration tester then attempts to access the answering system); the name derives from the 1983 movie WarGames.

Social engineering is a no-tech or low-tech method that uses the human mind to bypass security controls. Social engineering may be used in combination with many types of attacks, especially client-side attacks or physical tests. An example of a social engineering attack combined with a client-side attack is emailing malware with a Subject line of “Category 5 Hurricane is about to hit Florida!” A physical social engineering attack (used to tailgate an authorized user into a building) is described in Chapter 4, Domain 3: Security Architecture and Engineering.

A zero-knowledge (also called black box) test is “blind”; the penetration tester starts with no external or trusted information and begins the attack with public information only. A full-knowledge test (also called crystal-box) provides internal information to the penetration tester, including network diagrams, policies, and procedures, and sometimes reports from previous penetration testers. Partial-knowledge tests are in between zero and full knowledge: the penetration tester receives some limited trusted information.

Some clients prefer the zero-knowledge approach, feeling this will lead to a more accurate simulation of a real attacker’s process. This may be a false premise: a real attacker may be an insider or have access to inside information.

Full-knowledge testing can be far more efficient, allowing the penetration tester to find weaker areas more quickly. Most penetration tests have a scope that includes a limitation on the time spent conducting the test. Limited testing time may lead to a failed test, where more time could lead to success. Full-knowledge tests are also safer: systems are less likely to crash if the penetration tester has extensive information about the targets before beginning the test.